search

saltstack / salt

Software to automate the management and configuration of any infrastructure or application at scale. Install Salt from the Salt package repositories here:
https://docs.saltproject.io/salt/install-guide/en/latest/
Apache License 2.0
14.19k stars 5.48k forks source link

[BUG] Salt master tries to access /etc/salt/grains when it shouldn't need to #66746

Open Sxderp opened 3 months ago

Sxderp commented 3 months ago

Description When running the salt-master as non-root the service attempts to access /etc/salt/grains. As far as I'm aware it shouldn't need to access that file. The grains file should be reserved for the minion running on the host.

Setup RHEL9

Steps to Reproduce the behavior Install salt-master. Configure master to run as non-root.

cat << EOF > /etc/systemd/system/salt-master.service.d/override.conf
[Service]
User=salt
Group=salt
ExecStartPre=+chown salt:salt -R /etc/salt/pki/master /etc/salt/master /etc/salt/master.d /var/cache/salt/master /var/run/salt/master /var/log/salt
EOF
systemctl daemon-reload

Expected behavior To not try and access the grains file. Or at least don't error.

Screenshots

Traceback (most recent call last):
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/__init__.py", line 1188, in grains
    ret = funcs[key](**kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 160, in __call__
    ret = self.loader.run(run_func, *args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1269, in run
    return self._last_context.run(self._run_as, _func_or_method, *args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/loader/lazy.py", line 1284, in _run_as
    return _func_or_method(*args, **kwargs)
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/grains/extra.py", line 57, in config
    with salt.utils.files.fopen(gfn, "rb") as fp_:
  File "/opt/saltstack/salt/lib/python3.10/site-packages/salt/utils/files.py", line 388, in fopen
    f_handle = open(  # pylint: disable=resource-leakage,unspecified-encoding 
PermissionError: [Errno 13] Permission denied: '/etc/salt/grains'

Versions Report

salt --versions-report ```yaml Salt Version: Salt: 3007.1 Python Version: Python: 3.10.14 (main, Apr 3 2024, 21:30:09) [GCC 11.2.0] Dependency Versions: cffi: 1.16.0 cherrypy: unknown dateutil: 2.8.2 docker-py: Not Installed gitdb: Not Installed gitpython: Not Installed Jinja2: 3.1.4 libgit2: Not Installed looseversion: 1.3.0 M2Crypto: Not Installed Mako: Not Installed msgpack: 1.0.7 msgpack-pure: Not Installed mysql-python: Not Installed packaging: 23.1 pycparser: 2.21 pycrypto: Not Installed pycryptodome: 3.19.1 pygit2: Not Installed python-gnupg: 0.5.2 PyYAML: 6.0.1 PyZMQ: 25.1.2 relenv: 0.16.0 smmap: Not Installed timelib: 0.3.0 Tornado: 6.3.3 ZMQ: 4.3.4 Salt Package Information: Package Type: onedir System Versions: dist: rhel 9.4 Plow locale: utf-8 machine: x86_64 release: 5.14.0-427.20.1.el9_4.x86_64 system: Linux version: Red Hat Enterprise Linux 9.4 Plow ```
dwoz commented 3 months ago

This should be fixed in 3007.x and back ported to 3006.x, or fixed in 3006.x and merged forward.